@alikon I wouldn't exactly worry about the well being of hosters that can't keep their server stack up to date. If they can't update PHP 5.3 to the latest version that might not be the only department they are lacking in. Run, clients, run!

Navigating down the report, you can see how much of that is PHP 5.3 based, then each release of 5.3. You can then see the numbers and estimate for yourself based on how many websites are powered by a release of PHP that will not be supported in Joomla 3.3.

First of all I wanted to say that I fully support any efforts to increase security in Joomla and increasing the minimum requirement for PHP is a good idea. However, I think there is one problem that will be encountered:

Centos 6.5, the current stable release of Centos ships with PHP 5.3.3.

I assume here in Germany quite a lot of hosters/website owners will be affected, because many of them still rely on the control panel Confixx, which was orginally developed by a german company and later bought by Parallels (Plesk), but unfortunately Parallels stopped the development of Confixx. The last official version does not support php 5.3 or 5.4 but many of these hosters applied unofficial patches to make it work with certain php 5.3 versions.

My webhoster, who provides an outstanding service for little money, is (afaik) currently using the latest Debian 6 package released in Fall 2013, which to the best of my knowledge comes with php 5.3.7 bundled. (That's the version my Joomla system information shows)

Last edited by jk1 on Thu Jan 30, 2014 2:41 pm, edited 1 time in total.

Support for PHP 5.4 or 5.5 isn't affected by this change; only the minimum version of PHP 5.3 we will support starting with the 3.3 release.

It was slipped into the holiday break post in December that we would be releasing a 3.3 which changes the timeline for future releases. We plan at least one additional post outlining a bit more about what we plan to accomplish with 3.3 in the next 2 weeks.

I fully agree with raising minimum php requirement to php 5.3.10. It will help making our Joomla websites much more secure.

For hosting companies: hosting is dynamic business, not static. This means you should keep your hosting software up to date! Just as website-owners are expected to keep their Joomla versions and extensions up to date.

Agreeing with the CentOS poster, another problematic OS is RHEL 6 (and Scientific Linux). We have the very latest patches on the very latest RHEL OS, and, in October we will not be able to upgrade to Joomla 3.3 and will not receive security patches for the 3.2.x releases. There is no alternative for RHEL/CentOS/Scientific Linux users. These are enterprise OSes and should be supported by Joomla. I strongly suggest the Leadership team revise their policy of not "writing conditional tests and using software appropriate to the PHP features found" in this case.

We attempted to account for hosts running versions of PHP which report as <5.3.10 and that resulted in the major issues that were in the 3.2.0 release. Those systems which are reporting older PHP versions but have patched in fixes and features from newer releases cause problems because they are not the true PHP version they are reporting.

You should take in account that there might be websites that does NOT support PHP 5.4 on a server with a lot of clients. How do you keep both happy?

Running an enterprise distro with PHP 5.3.3 is perfectly fine with the password_compat library. You shouldn't force through newer versions, because you lack knowledge about frozen versions/don't care about the amount of headache this will cause in situations you might not have in mind when it was decided.

While I -do- support less vulnerable servers (either PHP or Joomla related), it's not your job to make PHP or hosts more secure, by screwing over those that is. If this was the case you might as well just stop supporting PHP 5.3 as it's basicly EOL...

Better security is good, but removing support for the most used distros (RHEL/CentOS/Debian) is a big no no.

You will end up with a worse senario if you don't allow PHP versions shipped with RHEL/CentOS/Debian. Either people will not use Joomla 3.3+ because their host don't support it (over 50%), or they wil use old vulnerable versions (<3.2.x). Both just as bad...

A LOT of sites are on RHEL/CentOS/Debian and are fully up to date with security patches, but due to 'backporting' the version number is 'frozen' and will never pass your new test as it is currently written. It's not accurate to say that those versions of PHP are any less secure than 5.3.10.

Joomla! should also support those popular OS platforms. I know you don't want to encourage people to start custom compiling PHP because then it is unlikely that most of them will be properly maintained. This is why we use repositories; this is why there is backporting.

This problem can be simply solved by updating your minimum version criteria to account for backporting and thereby encompass these mainstream platforms.

Found this thread through a google seach. As a new user to both CentOS 6.5 and Joomla! all I can say is this new requirement for the higher PHP version is tripping me up. I know the recommendations from the CentOS developers is to never update a package outside of the the stable release channel, and this is because all security fixes get back ported by people who know what they are doing to keep all the rest of us secure with a long term operating system. Living on the edge is fine for development operating systems like Fedora, but you need to drop back to a stable long term version on servers that will be around longer than 6 months at a time.

Just my two cents, wish I had the knowledge to suggest a better way of doing things, but I don't.

[edit] What a fully patched CentOS 6.5 system looks like, can't get rid of the Jommla! 3.3 upgrade notice

joomla_admin.png

You do not have the required permissions to view the files attached to this post.

A LOT of sites are on RHEL/CentOS/Debian and are fully up to date with security patches, but due to 'backporting' the version number is 'frozen' and will never pass your new test as it is currently written. It's not accurate to say that those versions of PHP are any less secure than 5.3.10.

Joomla! should also support those popular OS platforms. I know you don't want to encourage people to start custom compiling PHP because then it is unlikely that most of them will be properly maintained. This is why we use repositories; this is why there is backporting.

This problem can be simply solved by updating your minimum version criteria to account for backporting and thereby encompass these mainstream platforms.

Thanks for your consideration.

We tried with 3.2.0 and it failed massively. The only workable solution we could come up with was drawing the line at 5.3.7 minimum. We elected to raise to 5.3.10 because of a major security issue fixed between 5.3.7 and 5.3.10.

In my case, I have a lot of clients using websites with Joomla 1.5 and 2.5 and they don't want to pay for an upgrade of their websites to Joomla 3 because the websites are working perfectly, the server is secured and never had problems.
For some of them, I tested a new server with php 5.3.7 and that caused problems, so upgrading the entire server to php 5.3.10 or higher will cause me problems.
At this moment I manage multiple hosting accounts on different companies, the support is very good but the php version is 5.2-5.3, less than 5.3.10.
As most of the hosting companies does not offer 5.3.10 or higher, I will look for the Wordpress CMS for the future websites. You should consider that a big disappointment for one Joomla user with multiple websites. The decision is yours but the graphics shows worse for Joomla 3 as far as I can see.

Well, I have been a Joomla User since the Mambo days (11 years). This PHP "Security" requirement is a deal breaker for me. I run CentOS on all my servers. I will not be forced to custom build packages and make my servers less secure just because Joomla can not figure out that 5.3.3-27.el6_5 is basically the same as 5.3.10.

If anyone is aware of a highly reliable method in which these modified PHP 5.3.3 builds could be checked for compliance, we would be open to seeing if we could make them work. As I mentioned before, we have tried a check which used a combination of version number or features, specifically around the bcrypt changes in 5.3.7, and could not come up with a working solution.

According to CVE Details, PHP 5.3.3, the version that is included in RHEL 5 (as php53) and RHEL 6 (as php) and the associated clones (CentOS, Scientific Linux, etc.) should have 61 vulnerabilities if unpatched. Since Red Hat backports patches, the version number doesn't tell the whole story when it comes to the security of the package.

What follows is a list of all 61 CVE vulnerabilities for PHP 5.3.3 and the associated information about that from Red Hat.

So of the 61 identified vulnerabilities, Red Hat backported patches to 30 of them, showed that PHP as shipped on Red Hat systems was not vulnerable on 11 of them, and explained that 17 of them were not security issues. There are 3 issues to still discuss. One required a userland change to the code (CVE-2011-4718), something that I would be interested to know if Joomla has investigated. One had no response from Red Hat, but can clearly be seen as a severe edge case with little to no chance of being exploited. The last one (CVE-2014-2497) is the most recent and is still under evaluation for a possible fix even though is has such a low impact.

I started looking into all of these issues not knowing full well if Red Hat had addressed all of them, but I was confident that they had. Therefore, both RHEL 5 and RHEL 6 (and it's clones) have "raised the bar on security" and should be supported by Joomla 3.3.

I am also running into the problem using RedHat Enterprise Linux 6 and being no longer able to use Joomla 3.3 and up.

We use RHEL because of their backporting policy. Having a company backporting security fixes without braking current behaviour is very important for us and that's what we actually pay for.

By forcing us to use Non-Standard-Packages, Joomla actually lowers the bar on security, as you force your customers to use not-so-well-tested Packages, where it is a bit unkown how often and for how long the will be updated by the maintainers.

Additionally, I can not easily swap in a new PHP Version as other Software that comes with the distribution except the RHEL Version of PHP. Software written for RHEL actually can except der RHEL Version, as stability is the core and the heart of Enterprise Distributions.

I strongly suggest to revise your decision and support RHEL/CentOS and so on throughout their Lifetime, as they can actually easily jump over the new height of the security bar.

I have a number of client sites hosted by a company who are very professional and offer me a very good business model.

Sadly some of my clients are now telling me I need to upgrade them to Joomla 3.3 - and I have to tell them I can't - because in common with many other Hosters they are running Centos/Plesk, fully patched, but as far as Joomla is concerned "at the wrong level". The security of the environment and installation is obviously important, but refusing to install and forcing the Joomla user to consider alternate setups is clearly not the way to go.

A Warning message clearly stating "This installation is insecure if not supported by PHP version x.y.z" should be flagged up and echoed in the configuration panel, but blocking installation is counter-productive.

Joomla can only ever be as secure as the environment in which it 'sits' and should be inherently secure within the constraints of that environment, but it should not be the Joomla team who mandate what security is run on the host.

Very disappointed, and like Florian, I hope a workaround for this enterprise class setup arrives soon...

Raising The Bar On Security!
I would say, that it should be better known for "Joomla - Raising the bar on taking down sites!"

The joomla upgrade should have had a server check in the upgrade process, which would stop the upgrade if the correct version of php was NOT installed.

We are using servers from one of the largest (and best in my eyes) server providers in the world. Even a new server purchased and setup with all security patches preloaded on yesterday (about 3 weeks after the release of Joomla 3.3), does not have php 5.3.10.

I wonder how many Joomla sites are already now down due to this raising of the bar?

How many more will go down when clients press update and the server does not have the correct version of php, but Joomla does the upgrade anyways, and then takes down the site?

On all of my existing sites, clicking the upgrade button does NOT upgrade to 3.3. It upgrades to 3.2.4 and leaves the message "you should upgrade to 3.3" on the site - annoying, but not in all fairness, fatal.

I would be very interested in which 'world class provider' you are using, and also, if you were upgrading or installing from scratch?